a15cdaf2f2ebd348a0331142e59985301ac7feb195b37443cb71cfab1e91daa6

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
Size

1.6MB
MD5

7518d6db8ef1321b5572bc71f824ec27
SHA1

15c64f0443f98144bb181e95040eb2ed4a764767
SHA256

a15cdaf2f2ebd348a0331142e59985301ac7feb195b37443cb71cfab1e91daa6
SHA512

828d6445ad01ff3881293368888d5ae21a7f9899793d9a332ee622e6b7be4f83f57d1bf8459d90ac8872121752c258a9a7a86d81fd857ec21f94a24063c16de7
SSDEEP

49152:2Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9b:2GIjR1Oh0T/

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
804	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 940	1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe	30
PID 1960 wrote to memory of 940	1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe	30
PID 1960 wrote to memory of 940	1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe	30
PID 1960 wrote to memory of 940	1960	7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe	30
PID 940 wrote to memory of 804	940	cmd.exe	32
PID 940 wrote to memory of 804	940	cmd.exe	32
PID 940 wrote to memory of 804	940	cmd.exe	32
PID 940 wrote to memory of 804	940	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7518d6db8ef1321b5572bc71f824ec27_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\32454.bat" "C:\Users\Admin\AppData\Local\Temp\96673458E0124D5D8678FAAF7F251142\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32454.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\96673458E0124D5D8678FAAF7F251142\96673458E0124D5D8678FAAF7F251142_LogFile.txt

Filesize
2KB

MD5
2f61af25c4b53169c7ae78d65c8eb3b3

SHA1
9bd4d03a2b9b09578f756ac3f4b356d4a114c2e1

SHA256
969d9294d41756c7fecc97c882aeeecd969312b62d1b4fc4c691f5523aa53245

SHA512
b68d490dcbb340d2730637a3e72375c72593ecde14cd71d8c4c70f82a82560a0dc28dc4dd620b97a61130914c126e58f271773352a7ecf7bb24f4c5e098d1f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\96673458E0124D5D8678FAAF7F251142\96673458E0124D5D8678FAAF7F251142_LogFile.txt

Filesize
9KB

MD5
68ba3a3807071523421a241440eb976a

SHA1
b2b3be168d26eb983a2b04fe137f35f8df3d665d

SHA256
bba16119a149924fc7021be203497eca1058cd79c343c76f52f2d60591ec9d39

SHA512
ad332292d837192d8f6aa143580b8270ce105c9b7ca52375b5152d108bc3534a7b8ee89095b9f3ca9c1058b5de6d92daa6d5a3f9675a84371bd7bb4769fbdb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\96673458E0124D5D8678FAAF7F251142\966734~1.TXT

Filesize
103KB

MD5
2e8455c33da3dac6f9baf2c199a0e65d

SHA1
cfceeeb208b05d2bd823d4e0747215feda6684f1

SHA256
02f20b95c918bad65cccb095fa2c0ed9e06f1430dae3a40a2f77d8c549e33482

SHA512
8178e1adade97a65afa096524bdf85c343967cd72c2f53bcff733170f7435541a7e26cebeb3301bb43ce9d629595a600c58c2d5aa3c1448120fee9e4fa3de274

Download Submit
memory/1960-63-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1960-184-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download